Forgive me if I brag a bit in this post, but I think I earned the right. You be the judge.

Last weekend, I noticed strange behavior on my home system. ESET Smart Security kept reporting that it had “found and quarantined m.exe, probably a variant of Win.Qhost trojan.” Every time I plugged in a USB thumb drive, ESET would pop up with the message. I couldn’t run HijackThis. If I tried to go to certain antivirus websites–Avira in particular–my browser closed. Sysinternals Process Explorer wouldn’t run. My thumb drive showed two hidden files: Autorun.inf and m.exe. Hmmm. Running ipconfig /displaydns revealed multiple connections to porn and malware sites. Searching Google led me to some tools that eventually fixed my problem at home. Turns out I had a bigger problem.

Apparently, I had picked up the infection from a client’s Exchange server and during my weekly tour there, I found that the tools I used on my XP machine wouldn’t run on Windows Server 2003. I tried everything in my arsenal; no tool found anything wrong. This thing was very stealthy; even Safe Mode didn’t disable it. I was about to give up. Then I remembered that I’d recently finished making up a bootable Linux thumb drive virus scanner using the AntiVir rescue CD, a tool that allows offline scanning (thank you, Avira, you made it a little easier for me). I booted the server to the thumb drive, ran the scan, rebooted the server, and voila! The infection was gone.

There’s a whole backstory to this incident that I won’t bore you with. Suffice it to say that I’m glad I put in the hours of hacking and research to come up with a really useful tool that I was able to use to help a client. Veni! Vidi! Vici!

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

I have just found this today on my network and Mcafee will not pick it up. In fact 15/36 popular scanners found it according to this site after I uploaded it. I have managed to wipe it from the usb but am unsure of how it originated and is spreading. I assume once loaded the next usb to be entered while the process is running will contract it.
It seems to not only use the autorun on the usb but installs itself locally, so even though I have re-imaged a whole bunch on troubled computers I still have many users with this on their usb's. Even though I have supplied the wiper for usb Im sure alot will not try running it. Really sneaky one this. Thanks for the link!
http://virscan.org/report/26521c2860fd9505c697955e68ceace4.html

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.